The Investigation Timesuck
The investigation begins from a single security alert.
Security analysts face a daunting challenge for each security alert
Is this a credible threat?
If so, what is the root cause?
What is its scope?
The timeline represents the findings from Ponemon's 2019 Cost of a Breach report illustrating the long average periods of time to recognize, investigate, and remediate a breach.
Lateral movement, account switching, and simple evasion techniques, escape basic methods for grouping alerts (e.g. from the same host or user)
The challenge of linking threat activity together is compounded when different analysts triage related alerts
Cloud systems and containers may have changed or no longer exist when the investigation begins, creating impassable gaps to recover attack steps
Spyderbat differs from existing approaches by identifying the causal connections between user sessions, processes, files, network connections, machines and containers into a stateful Operations Plane. This provides the groundwork for attack tracing.
Spyderbat captures attack traces in a Spydertrace by fusing the Operations Plane with a Security Plane. The Spyderbat Security Plane tracks third-party alerts from security controls such as SIEM or SOAR, with IaaS security monitoring solutions such as AWS Guard Duty, and with Spyderbat Flags.
Due to Spyderbat’s Operations Plane’s stateful representation, attack traces are recognized even when traversed through hybrid and cloud environments by seeing the systems ‘as they were’ when attack steps took place.
Spyderbat Flags identify uncommon activities or system behaviors, ranging in severity from simple informational steps to truly malicious activity to complement third-party alerts by visually identifing attack steps when automatically grouped together through causal connections.
Extensible and easy-to-create, Spyderbat Flags are provided by Spyderbat and through community contribution.
Spyderbat dramatically reduces security investigation time from days to hours by providing security analysts with all causally connected threat activity regardless of whether it is separated by time, systems, users, and other parameters.